Closed delprofile closed 7 years ago
Hi, I think the reason is custom port here - try using standard port for HTTPS, i.e. 443
centrifugo on 8000 i have ssl on site... Unix upstream don't work. i used nginx + apache - backend
server {
server_name hardcsgo.ru www.hardcsgo.ru;
charset off;
index index.html index.php;
disable_symlinks if_not_owner from=$root_path;
include /etc/nginx/vhosts-includes/*.conf;
include /etc/nginx/vhosts-resources/hardcsgo.ru/*.conf;
access_log /var/www/httpd-logs/hardcsgo.ru.access.log;
error_log /var/www/httpd-logs/hardcsgo.ru.error.log notice;
ssi on;
set $root_path /var/www/hardcsgo/data/www/hardcsgo.ru/public;
root $root_path;
listen 185.87.49.66:80;
listen [2a02:f680:1:1100::3985]:80;
location / {
location ~ [^/]\.ph(p\d*|tml)$ {
try_files /does_not_exists @fallback;
}
location ~* ^.+\.(jpg|jpeg|gif|png|svg|js|css|mp3|ogg|mpe?g|avi|zip|gz|bz2?|rar|swf)$ {
try_files $uri $uri/ @fallback;
}
location / {
try_files /does_not_exists @fallback;
}
}
location @fallback {
proxy_pass http://127.0.0.1:8080;
proxy_redirect http://127.0.0.1:8080 /;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
access_log off;
}
}
server {
server_name hardcsgo.ru www.hardcsgo.ru;
ssl on;
ssl_certificate "/var/www/httpd-cert/hardcsgo/hardcsgo.ru.crtca";
ssl_certificate_key "/var/www/httpd-cert/hardcsgo/hardcsgo.ru.key";
ssl_ciphers EECDH:+AES256:-3DES:RSA+AES:RSA+3DES:!NULL:!RC4:!RSA+3DES;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
add_header Strict-Transport-Security "max-age=31536000;";
ssl_dhparam /etc/ssl/certs/dhparam4096.pem;
charset off;
index index.html index.php;
disable_symlinks if_not_owner from=$root_path;
include /etc/nginx/vhosts-includes/*.conf;
include /etc/nginx/vhosts-resources/hardcsgo.ru/*.conf;
access_log /var/www/httpd-logs/hardcsgo.ru.access.log;
error_log /var/www/httpd-logs/hardcsgo.ru.error.log notice;
ssi on;
set $root_path /var/www/hardcsgo/data/www/hardcsgo.ru/public;
root $root_path;
listen 185.87.49.66:443;
listen [2a02:f680:1:1100::3985]:443;
location / {
location ~ [^/]\.ph(p\d*|tml)$ {
try_files /does_not_exists @fallback;
}
location ~* ^.+\.(jpg|jpeg|gif|png|svg|js|css|mp3|ogg|mpe?g|avi|zip|gz|bz2?|rar|swf)$ {
try_files $uri $uri/ @fallback;
}
location / {
try_files /does_not_exists @fallback;
}
}
location @fallback {
proxy_pass http://127.0.0.1:8080;
proxy_redirect http://127.0.0.1:8080 /;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
access_log off;
}
}
You are posting to https://*********.ru:8000/centrifugo/api/
- try to get rid of port part - i.e. use sth like https://*********.ru/centrifugo/api/
and proxy requests to Centrifugo.
Так я и написал что не отрабатывает у меня прокси nginx, он возвращает файл при обращении, хотя и мем типы прописываю и тд.
Please look at this - looks similar to your current problem. And pay attention to:
one of the most common causes for this issue is that your certificate does not embed its intermediate CA certificates. Try fixing your certificate before trying anything else
it's not a decision to use a third-party module when there is ssl support in the reguest module, maybe you should add to jscent variables when structSSL for the agent to get by using standard methods?
Not sure what you mean. There are 2 possible solutions:
1) Fix your certificate chain 2) Disable certificate verifying in jscent (not secure)
If you follow links on SO - there is a link to https://www.npmjs.com/package/ssl-root-cas where author describes possible solutions without using that module. Maybe it helps...
u meen NODE_EXTRA_CA_CERTS='./path/to/root-cas.pem' node example.js
don't work, i checked
Btw, as temporary solution you can use this code before calling jscent functions:
process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0";
@FZambia , I know, but it's not a good idea to disable the protection. At night I tested debian 9.1 and this problem is not there, I think the problem in ca-certificate is 8.9 since root ca Let's Encrypt is not included in the standard package.
solution here https://github.com/centrifugal/centrifugo/issues/192
message: 'Request failed with an error', url: 'https://*********.ru:8000/centrifugo/api/', error: { Error: unable to verify the first certificate at TLSSocket. (_tls_wrap.js:1104:38)
at emitNone (events.js:105:13)
at TLSSocket.emit (events.js:207:7)
at TLSSocket._finishInit (_tls_wrap.js:638:8)
at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:468:38) code: 'UNABLE_TO_VERIFY_LEAF_SIGNATURE' },
statusCode: null,
body: null }
can help?